[00:01.540 --> 00:11.160]  Mosa and I do a lot of pentesting, red teaming, and we were kind of surprised by lack of deception technology.
[00:11.180 --> 00:19.920]  We didn't encounter it too much, and when we did, it was mostly on the internal networks, nothing on the perimeter level, recon level.
[00:20.200 --> 00:27.500]  And we both love Sacha Baron Cohen and his trolling, so we decided, let's start trolling.
[00:27.500 --> 00:33.100]  So that's why the talk is called How Blue Penetrates You, a.k.a. Trolling Hackers.
[00:34.160 --> 00:42.660]  So let's do it really quick. First of all, all of us are into the art of war, so all warfare is based on deception.
[00:43.680 --> 00:55.120]  So a little bit about us, I'm Danny Golan, I'm the CTO of NetAlpha Financial Systems, and I'll let Mo introduce himself.
[00:57.560 --> 01:01.100]  Mo Sanfried, I'm an advisor for Ledger Ops.
[01:04.700 --> 01:09.000]  All right, so Mo, you take over now. You start with the slide.
[01:10.660 --> 01:14.240]  Sure. So is everyone able to see my slides here?
[01:20.810 --> 01:27.110]  Okay, so as Danny mentioned, you know, deception has been around for quite some time.
[01:27.110 --> 01:36.350]  And, you know, the issue that we've had as of late with, you know, deception is that it's been heavily cited in favor of the red.
[01:36.350 --> 01:46.930]  You know, you've got everything from phishing, cloned login pages, legitimate credential use, phishing, farming, smishing, HIDs, thumb drives.
[01:46.930 --> 01:51.450]  It's been heavily lopsided in the deception game.
[01:51.450 --> 02:10.630]  So, you know, as a red teamer and a pen tester who originally started out on the blue side, I always felt that it's been, you know, just completely skewed as far as, you know, how much in favor it's been on the red.
[02:10.630 --> 02:30.030]  And, you know, personally to me, nothing's more frustrating as someone that's on the offensive side of security than running into, you know, red tape, bureaucracy, anything that, you know, results in wasted time.
[02:30.030 --> 02:41.890]  And, you know, my personal experience with deception is that it may lead you to a few, you know, trails that are off the beaten path.
[02:41.890 --> 02:55.090]  But over time, you start recognizing these patterns and it just isn't advanced and sophisticated enough where it's causing, you know, an adversary brutal pain.
[02:55.090 --> 02:56.290]  What's brutal pain?
[02:56.290 --> 03:03.490]  Well, you know, wasted time, burnt hours, you know, how am I going to, what's the best way to deter me?
[03:03.490 --> 03:10.670]  Not really in terms of, you know, deterrence for me isn't detecting payloads or things like that.
[03:10.670 --> 03:18.750]  Deterrence to me is just something that I spent, you know, let's say a week on to find out that it's not even a legitimate thing.
[03:18.750 --> 03:24.630]  So my personal and our personal belief is to let's make deception even better.
[03:24.630 --> 03:37.830]  Let's make deception so real so that, you know, it takes adversaries weeks, months, even if not longer to identify that, hey, you've just been pounding sand.
[03:38.050 --> 03:41.050]  And so this is really what, you know, this is for the blue guys.
[03:41.050 --> 03:43.250]  This is for, you know, the team that's in blue.
[03:43.250 --> 03:55.110]  Currently, and, you know, referring to the ATT&CK model, you know, a lot of the deception is currently happening in, you know, a few portions of the model.
[03:55.110 --> 04:01.510]  You know, we may see some deception inside of, you know, lateral movement.
[04:01.510 --> 04:12.550]  We might see some deception in the discovery phase, but really not so much in the other aspects of the ATT&CK framework, the model.
[04:12.550 --> 04:22.410]  So what we're suggesting is let's include, you know, what we're really trying to get at is like, let's get inception going in different phases.
[04:22.850 --> 04:35.550]  Let's try to sprinkle in deception in as many places as possible to kind of, you know, make it even more complicated and difficult for adversaries to compromise systems.
[04:35.550 --> 04:40.230]  So really, we just want to mislead people, mislead as much as possible.
[04:40.230 --> 04:49.350]  So, you know, we're really kind of attacking the ATT&CK framework, you know, in order to make it better, in order to make deception better.
[04:49.410 --> 04:52.550]  So, you know, as I mentioned, it's very limited.
[04:53.130 --> 04:56.350]  You know, we need to go beyond reconnaissance and lateral movement.
[04:56.390 --> 05:00.370]  And, you know, we want to take a multi-phase approach.
[05:00.370 --> 05:03.390]  We want to have deception in as many phases as possible.
[05:05.110 --> 05:16.110]  So, you know, we're talking about including at the recon phase, we want to have, you know, decoys for OSINT.
[05:16.110 --> 05:19.830]  We want to insert fake employees into an organization.
[05:19.830 --> 05:23.690]  And this is basically your organization's social media.
[05:24.750 --> 05:28.790]  You know, we want to have basically decoys all over the place.
[05:28.790 --> 05:33.870]  You know, we want to have decoys as far as password leaks.
[05:33.870 --> 05:53.450]  Let's go and leak, you know, password dumps, you know, include false information and wait for that information to be used on our decoy, you know, DPNs, decoy OWA, decoy Citric Access, RDP, SharePoint.
[05:53.450 --> 05:58.490]  Even when an attacker is enumerating your page, we want to have decoy subdomains.
[05:58.490 --> 06:00.850]  And, you know, Daniel has a demo for that.
[06:00.850 --> 06:09.150]  But what we really want to do is we just want to just make it so that people are getting completely frustrated targeting your organization.
[06:09.450 --> 06:10.870]  That's the objective.
[06:10.870 --> 06:13.450]  We want to, you know, hit them where it hurts.
[06:13.530 --> 06:22.290]  And for, you know, if it's just a script kitty or if it's someone that doesn't have infinite resources, they'll go away after some time.
[06:22.290 --> 06:27.810]  But if it's a targeted group, if it's an APT group, then, you know, they have all the time in the world.
[06:27.810 --> 06:30.370]  So what can we do is we can burn their time.
[06:30.370 --> 06:32.390]  We can make it very, very frustrating for them.
[06:32.390 --> 06:35.470]  And that's the objective of, you know, our talk here.
[06:35.550 --> 06:43.850]  So even, you know, some ideas that we've come up with is virtualized environments where, you know, adversaries are...
[06:43.850 --> 06:58.150]  where we're intentionally running malicious payloads and providing them access into, you know, decoy environments so that that way we can kind of track and trace what they're doing.
[06:58.150 --> 07:05.170]  We want to lure them in and provide new credentials to accounts that aren't even legitimate within Active Directory.
[07:05.390 --> 07:11.950]  You know, really whatever we can to burn their time to, you know, eat up their resources.
[07:11.950 --> 07:22.960]  All right.
[07:25.420 --> 07:30.820]  So we came up with this little framework we call the triple D.
[07:31.060 --> 07:37.760]  So we got on first, like, when you want to do deception, we don't want to do it to legitimate users.
[07:37.760 --> 07:42.100]  So we want to detect when someone is tampering or trying to scan our site.
[07:42.100 --> 07:43.900]  So we were looking at doing that.
[07:43.900 --> 07:47.080]  You have a bunch of tools doing automated scans.
[07:47.080 --> 07:49.060]  So we're able to fingerprint some of them.
[07:49.060 --> 07:58.000]  We left some breadcrumbs in the front end code, like some development environment links and different credentials.
[07:58.000 --> 08:02.400]  So if someone is using them, we can know that he's tampering with us.
[08:02.400 --> 08:11.380]  If someone's doing active enumeration, whether it's a dare buster or doing subdomain enumeration, we can see the amount of requests is not reasonable.
[08:11.380 --> 08:12.980]  So we can mark that.
[08:12.980 --> 08:22.360]  And the last thing we did is we actually went into the application layer, into the code, and we implemented some small vulnerabilities that are pretty common.
[08:22.540 --> 08:25.040]  But they changed the application flow.
[08:25.040 --> 08:27.240]  I will demo this in a couple of minutes.
[08:28.220 --> 08:30.740]  And then there's the deception part.
[08:30.740 --> 08:37.680]  So we do, if we do detect someone trying to attack, we want to manipulate the application flow.
[08:37.860 --> 08:41.860]  So it will look like everything is going well, like everything is working.
[08:41.860 --> 08:50.900]  But in reality, he's going to a whole different environment with everything looks real, but he'll be just wasting a lot of time.
[08:51.300 --> 08:58.700]  In terms of deception, there's also, we're doing some tests, adding like different headers using Nginx or proxy.
[08:58.700 --> 09:03.520]  We're just putting headers for different frameworks and seeing how the tools react to that.
[09:04.340 --> 09:09.800]  And for last, we did want to lure them in into a whole internal environment.
[09:09.800 --> 09:16.300]  So we did put out a vulnerable service for that, which will also be demoed.
[09:16.580 --> 09:24.060]  And in terms of deterrence, which is a third D, we wanted to force them to do as much manual work as we can.
[09:24.240 --> 09:33.340]  And a lot of resources exhaustion, especially with hashed passwords, if they're trying to crack them, we just want to waste their time and resources.
[09:33.420 --> 09:36.560]  And we saw that as deterrence.
[09:39.500 --> 09:45.400]  So for manipulating subdomains, we took the top five tools for subdomain enumeration.
[09:45.700 --> 09:52.680]  And we wanted to see how we can make them break or basically give a lot of noise so they don't really give the attackers value.
[09:53.560 --> 09:59.180]  Because when we use them, you know, if you get 10, 20 domains, and they're legit, it's fine, you go over them.
[09:59.180 --> 10:06.040]  But we want to give them as much noise as possible, like 100, 500, like 1000 subdomains.
[10:06.040 --> 10:10.520]  So there's no way to actually automatically know which ones are real or not.
[10:10.520 --> 10:11.980]  And it takes time.
[10:13.220 --> 10:20.240]  So one of the ways that those tools actually detect subdomains is they look for SSL certificates.
[10:20.460 --> 10:24.000]  So today with Let's Encrypt, it's free.
[10:24.340 --> 10:30.100]  You can do up to 100 subdomains per certificate and up to 50 certificates per week.
[10:30.400 --> 10:34.260]  So you can basically do 5000 subdomains.
[10:35.340 --> 10:39.580]  It's a one-liner. It's pretty easy, as you can see.
[10:39.740 --> 10:43.660]  And under the domains flag, you can put a bunch of domains.
[10:43.660 --> 10:46.600]  This is all automated. It's free.
[10:46.840 --> 10:52.000]  And then we wanted to do something for active enumeration as well.
[10:52.000 --> 10:59.560]  So Nginx, which is like a really popular proxy, has a random index module, which lets you serve random pages.
[10:59.560 --> 11:05.800]  So combine that with downloading 1000 pages from Wayback Machine.
[11:08.920 --> 11:16.500]  And this block, which did not show up well, but as you can see, there's this HTTP block and the server block.
[11:16.820 --> 11:21.180]  Ignore the part in the middle, which did not disappear. Sorry about that.
[11:21.400 --> 11:26.860]  But under the location block, you can see that there's the random index.
[11:26.860 --> 11:32.300]  And it will just, every time you go to any subdomain, it will serve you a random page.
[11:32.620 --> 11:41.880]  And since Nginx works on top-down, so you put your legit server blocks above, so they will have your real servers.
[11:42.120 --> 11:45.740]  Anything else will just go to random pages.
[11:45.800 --> 11:51.720]  And it did break a couple of tools and even tools that do like spider-style scans.
[11:52.220 --> 11:58.900]  It broke them as well because a bunch of random pages have a bunch of random links, and it just went haywire.
[11:59.340 --> 12:05.800]  And in terms of DNS, you just put a CNAME record with a wildcard, and that worked really well for us.
[12:07.040 --> 12:11.400]  So like we said, we love Sacha Baron Cohen, so this is a warning.
[12:11.400 --> 12:17.220]  We did break a lot of tools, and I'll show you a demo right now.
[12:17.220 --> 12:22.490]  So I'm using Amass to do enumeration.
[12:23.240 --> 12:31.220]  So this video was about five minutes, and my computer was basically burning hot after those five minutes,
[12:31.220 --> 12:35.800]  because the active enumeration just did not give so many results.
[12:35.800 --> 12:39.620]  And the other two tools just legit froze.
[12:39.620 --> 12:41.540]  We couldn't even keep going with them.
[12:42.280 --> 12:46.980]  So you can see there's just a simple certificate with 100 domains.
[12:46.980 --> 12:49.820]  Most of them are fake domains.
[12:51.180 --> 12:55.900]  Let me just freeze that at the bottom at the end of this.
[12:55.920 --> 13:05.860]  So I gave those domains names like Jenkins, like dev environment, staging environment, things that look legit.
[13:05.860 --> 13:13.460]  So basically an attacker, this was only 100, but if I do 5,000, he would have to manually go and look at them.
[13:15.240 --> 13:19.180]  So for the second thing, we're thinking like app level deception.
[13:19.280 --> 13:25.340]  So the two solutions we've thought about were either going into the app's code and actually changing things.
[13:25.340 --> 13:31.060]  So it's more work, it's custom for every web server you have, but it's very, very flexible.
[13:31.060 --> 13:35.880]  You can basically implement any vulnerability you want.
[13:36.580 --> 13:42.040]  And the other way was if you're using open source WAF, like Naxi or ModSecurity,
[13:42.040 --> 13:48.560]  you can do it more generalized, especially for SQL injections and XSS.
[13:48.840 --> 13:56.220]  But for this presentation, I'm just going to look at a simple code for a Flask web server.
[13:56.400 --> 14:01.480]  So the vulnerability I chose, I've seen it a bit.
[14:01.480 --> 14:06.860]  And it's a very bad vulnerability once you see it in the wild.
[14:07.080 --> 14:14.680]  So I got a little Flask server, and I used JWT, Flask JWT,
[14:14.680 --> 14:19.900]  which basically checks the JWT token, takes the identity out,
[14:19.900 --> 14:24.840]  and it checks if it's a valid token or not, if it was tampered with based on the signature.
[14:24.840 --> 14:31.820]  And there was an attack, which basically you put a non-null algorithm in the field,
[14:31.820 --> 14:34.620]  and it bypasses the signature validation.
[14:35.260 --> 14:43.640]  So what you can see here is I made a custom function that checks that identity.
[14:43.640 --> 14:49.840]  But if it gets an exception for invalid signature or invalid algorithm,
[14:49.840 --> 14:54.780]  it's not going to return an A user that will keep everything going regularly,
[14:54.780 --> 14:58.060]  but we're going to manipulate the flow of the application.
[14:58.160 --> 15:02.080]  So you can see that I did a print attacker detected,
[15:02.080 --> 15:08.840]  and on the endpoint itself, you can see that I'm checking for the current user from that token.
[15:08.840 --> 15:11.060]  If it's a valid user, it's a regular flow.
[15:11.060 --> 15:17.440]  I use my ORM, which sanitizes the input and returns the user.
[15:17.440 --> 15:22.700]  But under the else statement, you can see the tailored deceptive flow.
[15:23.260 --> 15:29.960]  I have an on-purpose vulnerable line for SQL injection,
[15:29.960 --> 15:32.760]  and I'm basically going to let him do a SQL injection
[15:32.760 --> 15:37.640]  and return him just a bunch of bogus users with their hashed passwords.
[15:38.060 --> 15:40.780]  And that's what he's going to get.
[15:40.780 --> 15:43.680]  You can see the super simple SQL injection,
[15:43.680 --> 15:48.900]  and I've minimized it so it doesn't show all the users,
[15:48.900 --> 15:54.000]  but you can think of how long it'll take someone to actually put the time to crack those passwords
[15:54.560 --> 15:57.740]  when they're actually... they don't mean anything.
[15:58.140 --> 16:01.100]  So this was a super simple example.
[16:01.100 --> 16:08.780]  You can generalize it to all of your Flask servers or any other framework by using decorators in Python.
[16:11.020 --> 16:15.020]  So we made a couple people mad when we asked them to test the website,
[16:15.020 --> 16:17.320]  because, you know, who likes wasting time?
[16:19.000 --> 16:22.020]  And at some point, like, which news do you want?
[16:22.020 --> 16:23.720]  You never know if it's real or not.
[16:24.140 --> 16:30.200]  As long as you make it look 100% real, you know, people waste their time.
[16:30.240 --> 16:33.680]  And we found that, especially with the subdomain enumeration,
[16:33.680 --> 16:37.040]  we used to get a lot of scans on the demo site.
[16:37.040 --> 16:40.960]  We put just a bunch of tools, and once we implemented some of these techniques,
[16:40.960 --> 16:43.260]  it went down by around 70%.
[16:43.260 --> 16:46.000]  So we're super happy to see that.
[16:47.460 --> 16:52.360]  The second thing I want to show is, if you're familiar or not familiar with,
[16:52.360 --> 16:56.040]  I'll do a quick intro to FUSE, which is file system and user space.
[16:57.240 --> 17:01.500]  It's an interface to let you export a file system to the kernel,
[17:02.040 --> 17:05.840]  and you get full control over reading, writing, listing.
[17:05.840 --> 17:10.040]  And we took advantage of this to just sprinkle the file system
[17:10.040 --> 17:15.360]  with a bunch of interesting files, like bb-backup, vm-backups,
[17:15.360 --> 17:18.200]  like finance and accounting, Excel sheets.
[17:18.300 --> 17:21.960]  And the nice thing is, it's all virtual, so you have full control
[17:21.960 --> 17:25.460]  of how the file looks in terms of the size.
[17:25.460 --> 17:31.300]  So we put, like, here you can see that the fake file name is bb-backup.eng
[17:31.300 --> 17:34.580]  for encrypted. It's a 5-dig file.
[17:34.580 --> 17:40.720]  And under the read function definition, you can see that it will,
[17:40.720 --> 17:44.220]  if you try to read it, it will just generate random bytes.
[17:44.220 --> 17:46.500]  It can do it, like, for days.
[17:48.220 --> 17:52.360]  And this other thing we're experimenting with is adding random timeouts
[17:52.360 --> 17:56.380]  when copying the files, because who... I mean, it's awful, you know,
[17:56.380 --> 18:00.640]  you copy a 50-gig file, and then you get a timeout randomly.
[18:02.920 --> 18:06.680]  So there we have Borad saying this file is real, not.
[18:07.260 --> 18:12.980]  And first thing is, here I start the script called the DeceptiveFuse,
[18:12.980 --> 18:16.240]  and I'm going to mount it to this folder called bb.
[18:22.380 --> 18:27.080]  And now when I list the folder, we can see that this is a 4.7-gigabyte file.
[18:28.280 --> 18:30.560]  And let's just try to read out the contents.
[18:41.240 --> 18:44.340]  Yeah, so this will go on and go on and go on.
[18:44.340 --> 18:47.980]  And since it's an uninterrupted file, it could be legit.
[18:50.840 --> 18:55.020]  So now we're thinking, okay, we did the perimeter.
[18:55.020 --> 18:56.460]  We did some app-level stuff.
[18:56.460 --> 19:00.580]  We want to lure them in to our Declan environment.
[19:01.060 --> 19:05.060]  So Vulnhub, for the win, great resource.
[19:05.060 --> 19:08.400]  So these days with the cloud and DevOps, Dockers,
[19:08.900 --> 19:12.500]  Vulnhub, the GitHub page is full of Docker images vulnerable
[19:12.500 --> 19:14.660]  to specific vulnerabilities.
[19:14.800 --> 19:18.380]  I chose Jenkins because who doesn't like popping a Jenkins server?
[19:18.380 --> 19:23.180]  It's a goldmine for API keys, for source code.
[19:24.420 --> 19:28.260]  Yeah, it's a goldmine for getting some info about the organization
[19:28.260 --> 19:30.240]  and the code they're running.
[19:30.860 --> 19:34.360]  So I deployed this on AWS, on ECS.
[19:34.380 --> 19:36.380]  It's in a Docker image.
[19:36.840 --> 19:39.800]  There's a link at the bottom of the slide.
[19:39.800 --> 19:42.900]  This is a vulnerability found by OrangeSci,
[19:42.900 --> 19:47.040]  which gives you a remote cloud execution.
[19:48.060 --> 19:52.860]  And with the vulnerability added to the file,
[19:52.860 --> 19:57.980]  I was able to add some users to the shadow file,
[19:57.980 --> 20:00.420]  which will... let's see.
[20:00.420 --> 20:03.660]  Okay, so... sorry about that.
[20:05.850 --> 20:09.170]  So I'm going to start Netcat, just import 8080.
[20:09.170 --> 20:15.050]  I'm going to use ngrok to give myself a publicly accessible address.
[20:23.680 --> 20:28.020]  So this is the POC by OrangeSci.
[20:28.500 --> 20:31.560]  Did a little bit of editing to make it work in Python 3.
[20:31.560 --> 20:32.680]  It wasn't too bad.
[20:32.920 --> 20:34.740]  This is the address.
[20:34.740 --> 20:39.020]  You can see the address to the container running on AWS.
[20:39.220 --> 20:43.560]  And I'm just going to post our curl command to read the shadow file
[20:43.560 --> 20:44.720]  and send it over.
[20:52.360 --> 20:54.240]  Yeah, and there we go.
[20:54.240 --> 21:01.400]  You can see that we have LEG, Admiral, General, Aladin, Borat, Zagdaev, and Iran Marad
[21:01.400 --> 21:04.580]  with pretty complex passwords.
[21:04.580 --> 21:07.960]  The only one we left as an easy password was LEG,
[21:07.960 --> 21:11.180]  because that's what we're going to use as credential reuse
[21:11.180 --> 21:16.120]  to hop into the AD environment, which Mo will show in a minute.
[21:16.340 --> 21:19.040]  So, yeah, let's go internal.
[21:19.040 --> 21:25.720]  And I will post on GitHub the edited Docker file and all the code that I showed.
[21:27.380 --> 21:28.840]  So, Mo?
[21:29.860 --> 21:31.400]  Thank you, Danny.
[21:31.460 --> 21:33.540]  That was really fun to watch.
[21:33.700 --> 21:38.460]  So essentially, as Danny mentioned, we've got credential reuse.
[21:38.460 --> 21:43.680]  So we intentionally have one user with a very easy password break
[21:44.400 --> 21:50.860]  in our lab environment, pivoting from the external to internal.
[21:51.460 --> 21:57.020]  Let's say in theory that this organization has a VPN accessible.
[21:57.740 --> 22:01.300]  We're working with, let's say, a non-interactive login account.
[22:01.680 --> 22:05.000]  We've got the user who has VPN access.
[22:05.040 --> 22:07.080]  He hops into the internal.
[22:07.080 --> 22:11.880]  He can't authenticate to any of the boxes because he has a non-interactive account.
[22:11.880 --> 22:16.480]  Let's say he finds a box with null sessions.
[22:16.480 --> 22:19.600]  He enumerates active directory.
[22:19.600 --> 22:24.240]  What we're really doing is we're just basically replicating the flow
[22:24.240 --> 22:33.180]  of what an adversary would do in the event that they have limited access,
[22:33.480 --> 22:39.680]  just kind of like your typical post-exploitation flow.
[22:39.680 --> 22:46.020]  So we set up a fake active directory environment,
[22:46.380 --> 22:51.040]  and we didn't give the user the ability to access anything
[22:51.040 --> 22:55.080]  with the actually login to a system.
[22:55.760 --> 23:00.940]  So what we're doing is we're creating the environment.
[23:00.940 --> 23:07.540]  We're creating a mock AD environment and putting out a low-hanging fruit
[23:07.540 --> 23:14.400]  that does not actually come to fruit, if that makes sense.
[23:14.400 --> 23:19.560]  So what we're doing is essentially we are leading people into...
[23:20.080 --> 23:22.940]  we're luring them in with a whole bunch of low-hanging fruit,
[23:22.940 --> 23:26.560]  but they're all going to be dead ends.
[23:26.700 --> 23:32.120]  So yes, the attacker enumerates AD, but it's a mock AD.
[23:32.200 --> 23:33.560]  The attributes are fake.
[23:33.560 --> 23:36.320]  The users are non-existent.
[23:36.320 --> 23:41.160]  They're basically in a sandbox, and they're just digging deeper and deeper
[23:41.160 --> 23:43.540]  without even knowing that they're in a sandbox.
[23:43.960 --> 23:46.360]  We have anonymous shares out there.
[23:46.660 --> 23:49.340]  We lure them in with sensitive info.
[23:49.780 --> 23:55.800]  We have the attacker upload malicious SCF files, have them fire up Responder
[23:56.520 --> 24:01.760]  or different LMR NVT poisoning attacks.
[24:02.060 --> 24:04.100]  We're going to respond to them.
[24:04.100 --> 24:09.200]  We're effectively just throwing them into...
[24:09.200 --> 24:13.260]  giving them breadcrumbs that ultimately lead to nowhere.
[24:13.860 --> 24:21.020]  So we will have SMB boxes with SMB signing disabled.
[24:21.020 --> 24:23.500]  They're going to have relay attempts.
[24:23.620 --> 24:30.300]  We're going to give them net NTLM hashes with passwords that are incredible to crack,
[24:30.300 --> 24:32.460]  just exceptionally difficult to crack.
[24:32.460 --> 24:38.780]  Just have them burn up resources, burn up time, pound on sand, if you will.
[24:39.220 --> 24:42.980]  So this includes exhausting different man-in-the-middle attacks.
[24:43.000 --> 24:45.380]  What we really want to do is just have them run the gamut
[24:45.380 --> 24:49.880]  before they really actually either, number one, give up,
[24:49.880 --> 24:54.780]  or number two, are in it so deep that they typically get tunnel vision,
[24:54.780 --> 24:56.840]  will have canaries out there.
[24:56.840 --> 25:02.420]  Just kind of really want to, at the end of the day, just aggravate people.
[25:02.420 --> 25:06.940]  If you have a really good product, you're going to aggravate people,
[25:06.940 --> 25:09.840]  which is going to really just kind of...
[25:09.840 --> 25:13.040]  the nature of a pen tester or someone that's on the offensive side
[25:13.040 --> 25:17.020]  is typically you get tunnel vision.
[25:17.020 --> 25:20.960]  You kind of start beating up on the same boxes, or you're repeating the same thing.
[25:20.960 --> 25:22.600]  You kind of get into a routine.
[25:22.600 --> 25:30.600]  So that's the kind of flow that we want to get people into.
[25:30.800 --> 25:34.960]  Ultimately, we have telemetry in place.
[25:35.040 --> 25:42.100]  We want to make it so that the attacker is going to get gradually louder and louder,
[25:42.100 --> 25:47.080]  and the whole time we're just following their actions.
[25:47.080 --> 25:48.760]  We're monitoring what they're doing.
[25:48.760 --> 25:52.320]  So just a quick look at our user here, Ali G.
[25:52.620 --> 25:53.820]  Respect.
[25:53.880 --> 25:59.780]  And our mock environment here that we set up that we use for testing.
[26:01.080 --> 26:05.020]  So a couple of tools, a couple of shout outs.
[26:05.480 --> 26:06.900]  Number one, Deja Vu.
[26:06.900 --> 26:11.100]  It's an open source deception framework that we used.
[26:11.440 --> 26:17.620]  And Detection Lab, which the links will be available within the slides.
[26:17.620 --> 26:20.660]  I highly recommend it for our internal environment.
[26:20.660 --> 26:29.100]  We were able to spin something up within AWS and locally very, very quickly, very cost effective.
[26:29.100 --> 26:35.720]  And on top of that, we leveraged Deception and Active Directory.
[26:35.720 --> 26:44.180]  Nickel, he wrote Deploy Deception, an exceptional set of PowerShell scripts
[26:44.180 --> 26:52.040]  that will allow you to create an entire mock Active Directory environment
[26:52.040 --> 27:01.520]  with objects and attributes where you can create a fake user with different permissions
[27:01.520 --> 27:09.620]  and really just kind of take out the tedious work that's involved in creating this sort of environment.
[27:09.620 --> 27:13.700]  Obviously, you want to, you know, customize it as much as possible.
[27:13.700 --> 27:19.460]  But, you know, a lot of respect for Nickel for putting this together.
[27:19.600 --> 27:25.320]  You know, it allows the adversary to enumerate decoy objects with aggressive logging enabled
[27:25.320 --> 27:30.160]  and just makes it exceptionally easy to set up.
[27:30.160 --> 27:34.160]  And, you know, really sets up different types of attacks,
[27:35.520 --> 27:40.100]  different types of, you know, users with passwords that don't expire,
[27:40.100 --> 27:46.400]  people with members of elevated privilege groups, users with ACL rights.
[27:47.640 --> 27:55.260]  Ultimately, what this allows is that it increases the time that an attacker is within your environment,
[27:55.260 --> 27:58.600]  in your mock environment, and it increases a higher detection rate.
[27:59.680 --> 28:04.080]  And it's, you know, as I mentioned, it's very easy to deploy with PowerShell.
[28:05.940 --> 28:14.480]  So, you know, hopping on Ali G, we've got, you know, going into the lateral movement aspect,
[28:14.480 --> 28:18.320]  we've got hunting creds, hunting tokens, hunting users.
[28:18.320 --> 28:21.980]  Now, this is pretty typical of a lot of decoy products.
[28:21.980 --> 28:29.980]  We're going to create a decoy admin account, and we have logging enabled for this account.
[28:30.300 --> 28:33.760]  And we're going to deny login for this DA account.
[28:33.760 --> 28:41.020]  So in the event that, you know, when the attacker does stumble upon our hunting creds or hunting tokens,
[28:41.020 --> 28:46.500]  we'll get an alert for this account, someone attempting to log in.
[28:46.500 --> 28:51.860]  And, you know, one of the methods that we leverage is by, you know, allowing, you know,
[28:51.860 --> 29:00.720]  making sure that this dummy honey DA account doesn't have the ability to log on to any systems.
[29:00.720 --> 29:09.240]  And we do this, one of the methods is by, you know, assigning that account to a computer that does not exist.
[29:09.600 --> 29:15.420]  And this is the type of, you know, alert that you would get.
[29:18.760 --> 29:23.220]  And, you know, that account is heavily logged and alerted.
[29:23.220 --> 29:30.020]  And then a few things, you know, that in my research for this was going into different types of detection
[29:30.020 --> 29:34.840]  that's in place for, you know, decoy environments.
[29:34.840 --> 29:38.520]  And one of the projects that I stumbled upon is called the Honey Pot Buster,
[29:38.520 --> 29:44.500]  which helps you, you know, kind of audit and test your environment, your decoy environment,
[29:44.500 --> 29:53.420]  just to see what is the ability to actually detect, you know, your attackers within a decoy environment.
[29:53.420 --> 30:01.560]  This kind of gives you an understanding of the legitimacy, how real does it, you know, does your decoy environment look.
[30:07.670 --> 30:15.150]  So, some of the things that we could do to make your, to identify,
[30:15.150 --> 30:22.170]  some of the things that we could do to identify whether your environment is a,
[30:22.170 --> 30:25.550]  let's say, you know, you're in a decoy environment.
[30:25.550 --> 30:33.650]  You could look at some of the products, and this is coming from Nicole's, and I apologize for mispronouncing your name,
[30:33.650 --> 30:39.370]  but some of the things that he identified in his research was that, you know, the object SID,
[30:39.370 --> 30:43.630]  the last login, the last logon timestamp, login count, bad password count.
[30:43.630 --> 30:50.870]  This is from his research in identifying attributes within the mock Active Directory environment
[30:50.870 --> 30:58.950]  that can basically, an attacker can look at and say, okay, you know, here's a user that's never logged on
[30:58.950 --> 31:04.170]  and he has zero login attempts, zero failed password attempts.
[31:04.510 --> 31:07.870]  You know, these are all attributes that can give away your decoy environment.
[31:07.870 --> 31:12.630]  So, some of the things that you want to take into consideration when building your mock environment
[31:12.630 --> 31:15.670]  to kind of make it look as real as possible.
[31:16.630 --> 31:26.210]  Some of the other tools that, you know, that we've, that I've seen for detecting LMR and MBT poisoning,
[31:26.210 --> 31:29.990]  there's, you know, honeypots that detect this sort of behavior.
[31:30.330 --> 31:39.570]  It's fairly simple. A lot of them will, you know, broadcast to 255.255.255.255,
[31:39.570 --> 31:48.550]  and this is a clear indication that you're looking at an LMR and MBT poisoning, you know, layer 2 honeypot.
[31:48.550 --> 31:55.870]  And really simple bypass or workaround is to just set up TCP dump or Wireshark to look for that.
[31:55.870 --> 32:02.670]  And, you know, ignore within, you know, whatever poisoning tool that you prefer.
[32:03.590 --> 32:10.510]  And obviously, whenever you hop on a network, you want to use respond and analyze only mode.
[32:11.450 --> 32:16.210]  So, you know, the final point, what we're getting at and kind of coming full circle
[32:16.730 --> 32:21.910]  is that when building these types of environments, you want to keep it as realistic as possible.
[32:21.910 --> 32:33.070]  You know, the objective is to, you know, make it so that the attacker, it takes an exceptionally long time
[32:33.070 --> 32:41.050]  for the attacker to, you know, identify that they're in a staged environment, that it's false
[32:41.050 --> 32:44.290]  and that they're kind of just being run around in circles.
[32:44.930 --> 32:50.410]  And, you know, at the end of the day, this industry and this game, the nature of this game
[32:50.410 --> 32:59.330]  is always going to be a game, cat and mouse. But if you can make it so that it takes the adversary
[32:59.650 --> 33:05.590]  a really long time, hours and hours of their time has been wasted sitting around in this environment.
[33:05.590 --> 33:12.350]  If you can burn their time, that is something that is finite and will ultimately never can,
[33:12.350 --> 33:14.570]  no matter who you are, you can never buy more time.
[33:14.570 --> 33:19.710]  So that's our objective and, you know...
[33:19.710 --> 33:28.710]  Yeah, a lot of it was looking into how do we change this whole process from what Mo showed,
[33:28.710 --> 33:38.070]  which is like the recon, the LinkedIn fake users and just like sprinkling passwords and fake password dumps
[33:38.070 --> 33:44.030]  or like in real password dumps. But getting all that out there and those little click baits
[33:44.030 --> 33:50.830]  for like going into those emails. And then from there, how we take it to the perimeter level
[33:50.830 --> 33:57.410]  and the app level and just like pull them down into the rabbit hole until they get into that AV environment
[33:57.410 --> 34:07.170]  and they've been just wasting weeks or like days, weeks, as long as they need for realizing that it was all nothing.
[34:07.290 --> 34:12.390]  So, I mean, that's part of like the more sophisticated attackers, they will go in deeper and deeper
[34:12.390 --> 34:19.950]  because they have the resources to actually crack all those passwords and do the manual labor.
[34:19.950 --> 34:25.770]  But the deterrence is more for the strip kiddies or the lower level attackers that, you know,
[34:25.770 --> 34:32.310]  once you hit them with 100 hashes and they actually need to start cracking it, they need to get those resources.
[34:32.630 --> 34:41.310]  It deters a lot of attackers. And then especially for perimeter and app level, since you do not have really tools for that,
[34:41.310 --> 34:50.290]  and it's mostly custom, so it's kind of easier to implement that into your flow without...
[34:50.290 --> 34:57.170]  because there are no tools to detect. And I mean, this was just the start, you know, we had one presentation,
[34:57.170 --> 35:05.070]  we were working on more cloud-related deception, utilizing the AWS agent and fake access keys,
[35:05.070 --> 35:14.330]  which we hope that for next time we'll have something great with that. We will, but it'll just take us some time.
[35:14.330 --> 35:17.690]  But yeah, this is an endless journey on going this path.
[35:21.420 --> 35:27.420]  All right. Great talk, everyone. Really appreciate it. Our first question comes from Mark.
[35:28.440 --> 35:32.840]  Are you looking at any disruptions in Office 365 or Azure AD?
[35:36.850 --> 35:44.270]  Oh, you want to take that one? I'll just say that we did not look at Azure AD at all.
[35:44.390 --> 35:49.730]  We did spin up an AD environment that's more similar to an internal network.
[35:50.070 --> 35:55.490]  So most of the things we did on cloud was related to the web apps and the perimeter.
[35:55.690 --> 36:00.270]  And then from there, it was like a pivot into an internal network.
[36:05.090 --> 36:12.410]  Right. As Danny mentioned, this is just kind of the... Mark, thank you for the question.
[36:12.470 --> 36:18.570]  And no, not yet, but we would love to work on that.
[36:19.110 --> 36:27.730]  And, you know, if anyone's willing to... is interested in collaborating on this, Danny and I are beyond excited to do so.
[36:28.930 --> 36:32.590]  And I guess one last question real quick for me.
[36:32.590 --> 36:41.170]  I've seen a lot of companies and solutions, open source solutions, pop up in the active defense honeypots kind of arena.
[36:41.250 --> 36:47.670]  Do both of you have any sort of predictions or where do you see the future of these tool sets going?
[36:49.350 --> 36:57.050]  I'll say from my side that most tools that we saw and encountered in Pentest or Red Teaming,
[36:57.050 --> 37:00.650]  like I said in the beginning, they were focused on internal networks.
[37:00.650 --> 37:09.470]  And then today with this whole migration to the cloud and microservices and Docker containers,
[37:09.470 --> 37:16.690]  which are replacing a lot of big web servers, these to be big like monolith web servers or Microsoft servers.
[37:16.690 --> 37:23.050]  And we did not see any tools or anything relevant for that.
[37:23.050 --> 37:31.150]  So we do hope that, you know, it will go to that path because like we saw in the second slide,
[37:31.150 --> 37:35.110]  where we have the comparison of Deception and Red Team and Blue Team,
[37:35.110 --> 37:39.250]  like Blue Teaming is way, way behind on Deception technologies.
[37:39.550 --> 37:44.630]  And then, I mean, we did this talk because we are trying to push this forward in this research.
[37:44.630 --> 37:48.630]  So hopefully, it'll advance a lot.
